[Bug 2101134] Re: [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

Dave Jones 2101134 at bugs.launchpad.net
Mon Apr 7 12:04:20 UTC 2025 

The patches all look reasonable, and are correctly annotated with the
upstream origins, which is great. My only concern is the SRU template:
the test plan is relatively complex to carry out and the regression
potential doesn't really cover the full array of possibilities, to my
eyes. Just about any update, regardless of how official or minor it is,
has the potential to break a package, and this section is currently just
covering what the patches affect without considering the potential for
wider consequences.

Still, I think there are mitigating factors here: sosreport is kept up
to date across all series, so (other than focal which has one extra
change) this is the same change, applied to the same version in all
series (the extra change in focal is for the autopkgtests and therefore
doesn't affect the operation of the package on a user's machine).

The test plan could likewise be mitigated by simply linking to the
sosreport updates [1] page, used for existing SRUs (this may not be a
full version-bump SRU, but it is still an SRU so that page arguably
applies).

Anyway, I'll leave it to the reporter to decide whether to bulk out
those sections a bit, but I'm happy to sponsor for the various series.

[1]: https://wiki.ubuntu.com/SosreportUpdates

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2101134

Title:
  [sru] Obfuscation/Collection issues in sosreport/sos 4.8.2

Status in sos package in Ubuntu:
  Fix Released
Status in sosreport source package in Focal:
  In Progress
Status in sosreport source package in Jammy:
  In Progress
Status in sosreport source package in Noble:
  In Progress
Status in sosreport source package in Oracular:
  In Progress
Status in sos source package in Plucky:
  Fix Released

Bug description:
  [ Impact ]

  When doing SRU for sos 4.8.2 we encountered obfuscation issues,
  although not a regression at the time, it was still an issue that had
  been present for a while

  1. So, these passwords would be fully visible to the end support personnel and therefore leaked passwords.
  2. Some logs had not longer being collected which are essential for debugging, such as auth.log, syslog and kern.log in /var/log
  3. The ubuntu plugin was no longer collecting Ubuntu Pro details due to the package name for ubuntu-pro, and hence essential for supportability for customers that have Ubuntu Pro
  4. autopkgtest for focal rendered a new issue, was not necessarily an issue, but the script was catching ir

  [ Test Plan ]

  Test 1. Deploy a openstack simple cloud, and run the sos report, check to see if passwords are obfuscated in configuration file for radosgw and horizon config in particular /etc/ceph/ceph.conf and /etc/horizon/local_settings.py
  Test 2. Deploy all series, and ensure the the auth.log, syslog and kerne.log are collected from /var/log.
  Test 3. On the same hosts as Test 2, ensure that /var/log/ubuntu-advantage logs are collected
  Test 4. Ensure to do autopkgtest via PPA for arm64 before going for SRU, and ensure all is good before submitting

  [ Where problems could occur ]

  1. The corresponding files are not obfuscated, and we need to update the patches.
  2. The files that have been specified are not being collected.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sos/+bug/2101134/+subscriptions

More information about the Ubuntu-sponsors mailing list